Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -52,11 +52,14 @@ jobs:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6.0.0

- name: Setup Node 22
- name: Setup Node 24
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: "22"
cache: "npm"
# Node 24 ships npm >= 11.5.1, which supports OIDC trusted
# publishing out of the box (no global npm install needed).
node-version: "24"
# No npm cache here: keep the publish job's environment minimal
# for OIDC trusted publishing (per CodeRabbit review).
Comment on lines +61 to +62

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Explicitly disable setup-node's npm auto-cache

In this privileged publish job, removing the cache input does not actually make the setup cache-free: actions/setup-node v6 documents that npm caching is automatically enabled when package.json has a top-level packageManager set to npm, unless package-manager-cache: false is provided. Since this repo declares packageManager: npm@10.9.7, the job will still restore/save the npm cache despite the new “No npm cache here” comment; add the explicit input if the OIDC publish environment must stay minimal.

Useful? React with 👍 / 👎.

# No registry-url: setup-node would write an npm auth line
# reading NODE_AUTH_TOKEN, which (left empty) makes npm take
# the classic-auth path instead of the OIDC exchange.
Expand Down Expand Up @@ -245,8 +248,5 @@ jobs:
# Trusted publishing: npm mints short-lived credentials from the
# workflow's OIDC identity (registered on npmjs.com for this repo +
# workflow file). No NPM_TOKEN secret; provenance stays on.
- name: Pin npm 11.18.0 (trusted publishing needs >= 11.5.1)
run: npm install -g npm@11.18.0

- name: Publish to npm
run: npm publish --access public --provenance --ignore-scripts